Thanks Kyle,
I agree the testcase is great and works in my tests.
This is exactly what I needed to craft the SRU template as needed.
But OTOH about severity of this, as it will mean everyone having ssh installed
(which is almost every installation out there) will have to download and
install a new package. I was wondering if there is a (can be more complex and
doesn't have to have step-by-step instructions) real use-case that is making
this bug more severe by breaking it. If there isn't I'm tempted to say it is a
correct bug and fix, but doesn't qualify to do the SRU on its own.
We might then still prep it completely but hold it in -proposed to only release
it together with some other more severe update that will force a new download
anyway.
Looking forward to your answer and adding the SRU template for now ...
** Changed in: openssh (Ubuntu Bionic)
Status: New => Triaged
** Changed in: openssh (Ubuntu Bionic)
Importance: Undecided => Low
** Description changed:
- SSHD closes the connection and logs the error message below when a
- client presents a protoversion of "1.99":
+ [Impact]
- Protocol major versions differ for X.X.X.X port X:
+ * The version check in ssh was broken no more following RFC 4253 and
+ thereby denying some clients that it shouldn't
+
+ * Upstream fixed that and this is backporting the changes to bionic.
+
+ [Test Case]
+
+ # Prep
+ * configure the ssh server to generally work
+ # Testcase
+ $ wget
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py
+ $ apt install python3-paramiko
+ $ python3 test_bug_1863930.py localhost (or whatever your host is)
+
+ Will report "Server is not patched." or "Server is patched.
+
+ [Regression Potential]
+
+ TODO
+
+ [Other Info]
+
+ * n/a
+
+ --
+
+
+ SSHD closes the connection and logs the error message below when a client
presents a protoversion of "1.99":
+
+ Protocol major versions differ for X.X.X.X port X:
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX
RFC 4253 only states that clients should treat a server's protoversion
of "1.99" as equivalent to "2.0"; however, some backward-compatible
clients send a protoversion of "1.99" and expect the server to treat it
as "2.0".
This regression was introduced in openssh-portable 7.6p1 from commit
97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06.
I've attached a patch with both of those fixes.
** Description changed:
[Impact]
- * The version check in ssh was broken no more following RFC 4253 and
- thereby denying some clients that it shouldn't
+ * The version check in ssh was broken no more following RFC 4253 and
+ thereby denying some clients that it shouldn't
- * Upstream fixed that and this is backporting the changes to bionic.
+ * Upstream fixed that and this is backporting the changes to bionic.
[Test Case]
- # Prep
- * configure the ssh server to generally work
- # Testcase
- $ wget
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py
- $ apt install python3-paramiko
- $ python3 test_bug_1863930.py localhost (or whatever your host is)
+ # Prep
+ * configure the ssh server to generally work
+ # Testcase
+ $ wget
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py
+ $ apt install python3-paramiko
+ $ python3 test_bug_1863930.py localhost (or whatever your host is)
- Will report "Server is not patched." or "Server is patched.
+ Will report "Server is not patched." or "Server is patched.
+
+ * for an extra regression check it might be worth to do some "normal" ssh
+ connections as well
[Regression Potential]
- TODO
+ * The change is very small and reviewable as well as being upstream and
+ in all Ubuntu releases >=Cosmic for a while now so it seems safe.
+ If anything the kind of regression to expect is that some former
+ (wrong) connection denials will then succeed. I can only think of
+ that being an issue in test suites but not in the real world.
[Other Info]
-
- * n/a
+
+ * n/a
--
-
- SSHD closes the connection and logs the error message below when a client
presents a protoversion of "1.99":
+ SSHD closes the connection and logs the error message below when a
+ client presents a protoversion of "1.99":
Protocol major versions differ for X.X.X.X port X:
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX
RFC 4253 only states that clients should treat a server's protoversion
of "1.99" as equivalent to "2.0"; however, some backward-compatible
clients send a protoversion of "1.99" and expect the server to treat it
as "2.0".
This regression was introduced in openssh-portable 7.6p1 from commit
97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06.
I've attached a patch with both of those fixes.
** Changed in: openssh (Ubuntu Bionic)
Assignee: (unassigned) => Christian Ehrhardt (paelzer)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1863930
Title:
SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Bionic:
Triaged
Bug description:
[Impact]
* The version check in ssh was broken no more following RFC 4253 and
thereby denying some clients that it shouldn't
* Upstream fixed that and this is backporting the changes to bionic.
[Test Case]
# Prep
* configure the ssh server to generally work
# Testcase
$ wget
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py
$ apt install python3-paramiko
$ python3 test_bug_1863930.py localhost (or whatever your host is)
Will report "Server is not patched." or "Server is patched.
* for an extra regression check it might be worth to do some "normal" ssh
connections as well
[Regression Potential]
* The change is very small and reviewable as well as being upstream and
in all Ubuntu releases >=Cosmic for a while now so it seems safe.
If anything the kind of regression to expect is that some former
(wrong) connection denials will then succeed. I can only think of
that being an issue in test suites but not in the real world.
[Other Info]
* n/a
--
SSHD closes the connection and logs the error message below when a
client presents a protoversion of "1.99":
Protocol major versions differ for X.X.X.X port X:
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX
RFC 4253 only states that clients should treat a server's protoversion
of "1.99" as equivalent to "2.0"; however, some backward-compatible
clients send a protoversion of "1.99" and expect the server to treat
it as "2.0".
This regression was introduced in openssh-portable 7.6p1 from commit
97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06.
I've attached a patch with both of those fixes.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
